Inside OnyxC2: The New Stealer Targeting 210 Apps

A new stealer called OnyxC2 surfaced on a cybercrime network in early 2026, sold as a complete product: a web panel, a payload builder, tiered pricing, and refunds if a build gets caught. For $250 a month, operators get a kit that harvests browser credentials, password managers, two-factor authentication (2FA), and crypto wallets across roughly 210 applications and extensions, then ships it all back over an encrypted channel.

The developer markets OnyxC2 as a complete product, with a Bots page, a Logs page, a Builder, a Users page with roles, and a Settings page offering cloud storage and AES-256 build encryption. It is software sold and supported like a commercial product, which is what puts a capable stealer in the hands of buyers who could never write one.

Figure 1: OnyxC2 dashboard harvest totals.

The stub is written in C++ with assembly for direct syscalls, mutated per build to break signature rules. The developer advertises a 99% detection-evasion rate, and a runtime scan shipped with the listing showed a build flagged by only 2 of 18 antivirus engines. 

Our own samples lined up with that claim. Both delivery archives came back clean on their first VirusTotal upload, and the malicious component inside them was still unflagged when we last checked on May 30, 2026.

The listing prices OnyxC2 in tiers, with the higher tiers unlocking the remote-access modules. The panel screenshots show more than the written listing advertises, including modules the sales copy never names, so the published feature set understates what the tool can actually do.

Figure 2: OnyxC2 license tiers and pricing.

The developer enumerates a broad target list. The stealer reaches 37 Chromium-based and 8 Gecko-based browsers, then 95 Chromium and 14 Gecko extensions, including 6 dedicated two-factor authentication extensions. It also covers 5 password managers, 17 cryptocurrency wallets, 11 FTP clients, and 5 email clients, with a further set of VPN, remote access, messaging, note-taking, and gaming targets. Counted together, that is roughly 210 applications and extensions across nine categories.

A stealer that scrapes password managers and 2FA extensions alongside saved logins is built to collect the credentials and session material that survive a password reset. The FTP and email targets push it past consumer credential theft and into the business systems that small finance and operations teams rely on every day. One infected host shown in the panel had already surrendered 55 saved passwords, 4,717 cookies, 719 autofill entries, 2 cards, and a wallet.

Figure 3: Harvested credential log view, redacted.

OnyxC2 pairs the stealer with a remote-access toolkit. The developer advertises HVNC over a web browser, LSASS dumping, RunPE in memory and on disk, a reverse SOCKS5 proxy, screenshot capture, a keylogger, a file manager, and a reverse shell over HTTP. Two further capabilities appear in the panel but never in the sales copy: a built-in TOR tunnel and AES-256-encrypted build downloads.

Figure 4: Active HVNC session in the bot view.

The build dialog exposes every option an operator can toggle: EXE or DLL output, Cloudflare-fronted HTTPS, anti-VM detection, scheduled-task autorun, self-copy, a loader, and DLL sideloading through a signed OneDrive binary. It also writes a default backend path of /backend/api/app.php.

Figure 5: OnyxC2 builder with backend path.

We obtained two OnyxC2 builds and worked through them statically. Both arrived as password-protected archives named to look like ordinary downloads, part of a wider set of more than twenty malicious files tied to a single distribution host with detections of 13 of 94 on VirusTotal. The lures included Fling-Standalone, FinePrint, SystemSettings, and fake Windows update packages.

Figure 6: MalwareBazaar records for two OnyxC2 archives.

Inside each archive is a two-file pair built for DLL sideloading. The first is a legitimate application carrying a valid Authenticode signature from a real software publisher, which on VirusTotal shows zero detections across 71 engines. The second is a malicious DLL named to match a library the signed program loads on startup. When the victim runs the installer, the trusted signed binary loads the attacker DLL from the same folder.

The DLL is built for concealment. We expected malicious code and instead found a genuine NVIDIA graphics library, exporting real graphics functions, inflated past 120 MB. The size is the trick. The actual payload is an encrypted blob appended past the legitimate code and regenerated for every build, and many scanners skip files that large. This likely contributes to the delivery archives showing zero detections when first submitted. Static analysis confirms the structure but cannot read the payload, which stays encrypted until runtime.

The binary layout is what makes the delivery chain clearer. The signed host executable is a PE32+ Windows binary with a valid Authenticode signature and a direct import for borlndmm.dll. That import is the load point: the attacker does not need to exploit the signed binary, only place a malicious DLL with the expected name next to it.

Both local builds reuse the same signed host executable. Setup_File_75.593.2113.exe and Setup_File_27.430.4673.exe share the same SHA-256 hash, 41999a3d0da035ff8068905c90235ea50121329cb0661e38d745974ebf5e3ae2, while the paired DLL changes between builds. That points to a stable sideload host with a generated payload component.

Figure 7: Sandbox flags the signed host loading borlndmm.dll.

The DLLs are also not just empty padding. Each borlndmm.dll sample is 133,297,536 bytes, and static analysis found 43 exported functions, including NVIDIA NGX-style names such as NVSDK_NGX_D3D11_CreateFeature, NVSDK_NGX_D3D12_Init, and NVSDK_NGX_VULKAN_EvaluateFeature. The file shape is meant to look like a graphics-support library while still satisfying the signed program’s import requirement.

Comparing the two DLLs shows how little needs to change between builds. They are the same size, the first byte difference appears around 52.83 MB, and only 776,899 bytes differ in total, about 0.58% of the file. The last non-zero byte sits at the end of both samples, so this is not a simple block of trailing nulls. The more likely pattern is a mostly stable loader/library wrapper with an encrypted or packed payload region that changes per build.

To get past the encryption we let the samples run in a sandbox, and the network traffic is where the chain closed. Infected hosts beacon to the distribution host at /backend/api/app.php, the exact path the builder writes by default.

Figure 8: Sandbox HTTP requests to the OnyxC2 backend path.

The requests follow a consistent protocol that mirrors the panel.

An action=sync request registers the host, sending the same fields shown on the bot page: hardware ID, username, OS build, privilege level, antivirus name, CPU, and GPU. An action=poll request runs the check-in loop, reporting the foreground window and whether the user is active or idle. An action=cfg request pulls configuration, and action=up_d uploads stolen browser data with the browser named in the request.

Every request carries a per-operator owner token value and a botversion of 2.0. The path, the parameters, and the token model all line up with the OnyxC2 panel from the listing. The advertised product and the live infections are the same system, rather than two things that happen to resemble each other.

A stealer with this reach turns one compromised workstation into standing access across a person’s working life. 

Stolen session cookies bypass a fresh login, password-manager vaults hand over the long tail of credentials, 2FA backup material undermines the second factor, and FTP and email connections expose customer systems directly. With HVNC, the operator inherits the victim’s authenticated browser outright.

Every link in this chain bends toward one final step. The signed binary, the bloated DLL, the encrypted overlay, and the rotating builds all exist to get the payload running quietly, but the operator only profits once stolen data leaves the host. That is the step BlackFog’s anti data exfiltration (ADX) technology is built to stop.

By enforcing ADX controls at the endpoint, it blocks the outbound transfer regardless of which trusted process loaded the payload or which Cloudflare-fronted domain it beacons to, breaking the chain at the one point where the theft becomes real.

Learn more here: ADX Protect